In yet another example of the dangers that accompany increased used of digital healthcare information, security vulnerabilities in Philips' Xper Information Management system were found at last week's SCADA Security Scientific Symposium in Miami.

Terry McCorkle and Billy Rios, Cylance researchers who previously found 98 easily exploitable vulnerabilities in SCADA products, according to an eSecurity Planet article, demonstrated the holes at the symposium. They said they were able to easily hack into a Philips medical information management system, and that a simple "fuzzer" (an automated software-testing tool) was used to gain privileged user status on the XPER system, which has weak remote authentication already, Dark Readingreported.

"Anything on it or what's connected to it was owned, too," Rios said at the conference, according to Dark Reading. He pointed out those vendors that develop electronic medical record and industrial control systems (ICS) products--including Siemens, Philips, Honeywell and GE--don't change their habits when it comes to security. "The mentality we see and the attitudes are exactly the same," he said.

According toSC Magazine, the "unpatched flaws within the Philips Xper systems" enabled McCorkle and Rios to, within two hours, gain remote root access.

"It was a very basic fuzz case," McCorkle said. "This [machine] manages other medical devices, and you can do anything you want to it once you're in. We were surprised how fast the [U.S. Food and Drug Administration] got involved."

With increased use of technology for healthcare purposes comes great responsibility to guarantee its security, as various data threats have remained prevalent in the beginning of 2013. Hackers, social media gaffes and malware all remain threats to the security of thousands of people's personal healthcare information.

In September 2012, the Government Accountability Office (GOA) reported that the Food and Drug Administration needed to pay more attention, in particular, to the information security risks for implantable electronic medical devices such as heart defibrillators and insulin pumps, including the threat of hacking and sabotage. GAO auditors noted that the FDA's current system for post-market adverse event reporting relies heavily on self-reporting from manufacturers, a method that Rios and McCorkle have shown is faulty and leaves out hundreds of possible security risks.

Comments

Join 51,000+ InsidersSIGN UP FOR OURNEWSLETTER

FierceHealthIT is the leading source of Healthcare IT news with a special focus on EHR adoption, Telemedicine, HIPAA compliance and other critical areas. Join 51,000 healthcare industry insiders who get FierceHealthIT via daily email for their must know IT news. Sign up today!

FEATURED ADVISOR

Joseph Kvedar, M.D., serves as vice president of connected health for Boston-based Partners HealthCare, and is the Founder of the system's Center for Connected Health. An author and frequent lecturer, Kvedar also serves as a board member for the Continua Health Alliance and the Care Continuum Alliance. He is a co-founder of Healthrageous and chair of the company's scientific advisory board, a strategic advisor at Physic Ventures, and serves as a mentor at Blueprint Health and Rock Health.

FierceHealthIT is the leading source of Healthcare IT news with a special focus on EHR adoption, Telecmedicine, HIPAA compliance and other critical areas. Join 51,000 healthcare industry insiders who get FierceHealthIT via daily email for their must know IT news.